Jump to content


Photo
- - - - -

Trojan.Tracur


  • This topic is locked This topic is locked
39 replies to this topic

#1 nexus88

nexus88

    New Member

  • Members
  • Pip
  • 20 posts

Posted 23 July 2011 - 01:55 AM

Hello, long time user of the program, new member. I've been trying to remove this trojan that keep on re-appearing after i delete it with Malwarebyte, and yes, i've updated the program as well, and every time i restart it, and rescan, the same virus appears.

This is where it located, I uploaded a recent scan txt that found it too.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BROWSER32 (Trojan.Tracur)

Any suggestion about this?

Doesn't let me edit my post, but here the TXT from the scan.

Attached File  mbam-log-2011-07-22 (21-42-31).txt   998bytes   19 downloads

Um anything?...


.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_21
Run by Chris at 1:34:24 on 2011-07-24
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1062 [GMT -7:00]
.
AV: Kaspersky Anti-Virus *Enabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\Program Files\Steam\steam.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011x\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011x\avp.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://yahoo.sbc.com/dsl
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2011x\ievkbd.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2011x\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [CreativeTaskScheduler] "c:\program files\creative\shared files\CTSched.exe" /logon
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2011x\avp.exe"
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\documents and settings\chris\start menu\programs\startup\PowerReg Scheduler.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2011x\klwtbbho.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2011x\klwtbbho.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
TCP: Interfaces\{B58C6BB7-D7CC-4D2A-87FF-55AABEFC2B71} : DhcpNameServer = 192.168.1.254
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: klogon - c:\windows\system32\klogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\chris\application data\mozilla\firefox\profiles\m6k9iapt.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 62323
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\chris\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2010-6-9 132184]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2010-6-9 11352]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2011-7-23 475736]
R2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky anti-virus 2011x\avp.exe [2010-11-2 365336]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2010-5-2 24652]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2010-5-7 32856]
S0 rslcy;rslcy;c:\windows\system32\drivers\uptklb.sys --> c:\windows\system32\drivers\uptklb.sys [?]
S2 Browser32;Computer Browser ;c:\windows\system32\avtapi32.exe --> c:\windows\system32\avtapi32.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Desura Install Service32;Desura Install Service ;c:\windows\system32\avtapi32.exe --> c:\windows\system32\avtapi32.exe [?]
S2 Dnscache32;DNS Client ;c:\windows\system32\avtapi32.exe --> c:\windows\system32\avtapi32.exe [?]
S2 helpsvc32;Help and Support ;c:\windows\system32\avtapi32.exe --> c:\windows\system32\avtapi32.exe [?]
S2 iPod Service32;iPod Service ;c:\windows\system32\msjetoledb4032.exe --> c:\windows\system32\msjetoledb4032.exe [?]
S2 RemoteAccess32;Routing and Remote Access ;c:\windows\system32\msexcl4032.exe --> c:\windows\system32\msexcl4032.exe [?]
S2 WmdmPmSN32;Portable Media Serial Number Service ;c:\windows\system32\shell3232.exe --> c:\windows\system32\shell3232.exe [?]
S3 3DRipDriver;3D Ripper monitoring driver;c:\program files\3dripperdx\3DRipDriver.sys [2010-5-2 6656]
S3 Desura Install Service;Desura Install Service;c:\program files\common files\desura\desura_service.exe [2011-3-28 128832]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-2 19472]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;c:\program files\autodesk\3ds max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [2009-3-12 86016]
.
=============== Created Last 30 ================
.
2011-07-24 08:14:05 -------- d-----w- c:\documents and settings\all users\application data\Kaspersky Lab Setup Files
2011-07-24 08:05:31 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-07-24 08:05:31 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-24 05:57:24 97859 ----a-w- c:\windows\system32\drivers\klick.dat
2011-07-24 05:57:24 115369 ----a-w- c:\windows\system32\drivers\klin.dat
2011-07-24 05:55:11 -------- d-----w- c:\program files\Kaspersky Lab
2011-07-24 05:55:10 -------- d-----w- c:\documents and settings\all users\application data\Kaspersky Lab
2011-07-23 20:46:28 -------- d-----w- c:\documents and settings\all users\application data\Tarma Installer
2011-07-23 03:38:07 -------- d-----w- C:\TDSSKiller_Quarantine
2011-07-23 01:04:48 -------- d-----w- c:\documents and settings\chris\local settings\application data\PMB Files(2)
2011-07-23 01:04:48 -------- d-----w- c:\documents and settings\chris\local settings\application data\Pando_Temp
2011-07-23 01:04:48 -------- d-----w- c:\documents and settings\chris\local settings\application data\Identities
2011-07-23 01:04:48 -------- d-----w- c:\documents and settings\chris\local settings\application data\GameSpy
2011-07-23 01:04:48 -------- d-----w- c:\documents and settings\chris\local settings\application data\Chromium
2011-07-23 01:04:48 -------- d-----w- c:\documents and settings\chris\local settings\application data\0luke0
2011-07-23 01:04:42 -------- d-----w- c:\documents and settings\chris\application data\6B1D3F937C281392BC7AF049F4AF557F
2011-07-23 00:56:39 -------- d-----w- C:\RECYCLER(2)
2011-07-22 12:32:15 98816 ----a-w- c:\windows\sed.exe
2011-07-22 12:32:15 518144 ----a-w- c:\windows\SWREG.exe
2011-07-22 12:32:15 256000 ----a-w- c:\windows\PEV.exe
2011-07-22 12:32:15 208896 ----a-w- c:\windows\MBR.exe
2011-07-16 20:21:06 -------- d-----w- c:\program files\Pando Networks(2)
2011-07-08 21:51:02 -------- d-----w- C:\UDK
2011-07-03 23:52:31 -------- d-----w- c:\program files\GamersFirst
2011-07-03 21:54:41 -------- d-----w- c:\documents and settings\all users\application data\EA Core
2011-07-03 21:54:40 -------- d-----w- c:\documents and settings\all users\application data\Electronic Arts
2011-06-30 04:12:32 -------- d-sha-r- C:\cmdcons
2011-06-29 22:14:15 -------- d-----w- c:\program files\AVAST Software
2011-06-29 22:14:15 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2011-06-29 21:23:30 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-06-29 21:23:29 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-06-29 21:23:29 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-06-29 21:23:29 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-06-29 21:23:29 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-06-29 21:23:29 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-06-29 21:23:29 1850328 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-06-29 21:23:29 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-06-26 21:53:03 -------- d-----w- c:\documents and settings\chris\application data\spiral
2011-06-25 00:03:51 -------- d-----w- c:\program files\Sony Media Go Install
.
==================== Find3M ====================
.
2011-07-16 03:46:03 140024 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-07-16 03:45:55 280768 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-07-16 03:45:55 280768 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-07-16 03:21:19 266400 ----a-w- c:\windows\system32\PnkBstrB.ex0
2011-07-07 02:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 02:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-18 11:13:49 0 ---ha-w- c:\documents and settings\chris\vzipsdhujw.tmp
.
============= FINISH: 1:36:02.75 ===============




Here's a DDS scan from it, Please i really like a response about this problem. I would expect some professional to actually look at this...

Attached File  dds.txt   12.58KB   33 downloads

Some "help"

Groups authorized to help with HJT logs

http://forums.malwar...showtopic=12264

I got infected with tracur/y and tracur/q. I removed them by deleting the browser temporary internet files, running malwarebytes and scanning with MSE. I'm not sure if malwarebytes or MSE got rid if it. I read that tracur hides in the browser cache/temporary internet files.


Where would that be located?

And seriously, no mods or anyone even bothering to help out?

#2 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 25 July 2011 - 07:04 AM

Posted Image

Please don't attach the scans / logs, use "copy/paste".


We look for post with 0 replies, so when you posted to your own log, we assumed you were being helped.




DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.


Vista and Windows 7 users:
1. These tools MUST be run from the executable. (.exe) every time you run them
2. With Admin Rights (Right click, choose "Run as Administrator")


Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

Open Notepad, click on Format and uncheck Word Wrap.


Internet Explorer (Windows)
1. Click "Tools", then click "Internet Options". This will bring up the Internet Options window.

2. Click the "Connections" tab, then click the "LAN Settings" button.

3. Uncheck the box labeled "Use a proxy server for your LAN". Click "OK", and click "OK" in the previous window. This will remove the proxy server settings in Internet Explorer.



Firefox (Windows)
1. Click "Tools", then click "Options" to bring up the Options window.

2. Click the "Advanced" button, then click the "Network" tab.

3. Click the "Settings" button, located next to "Configure how Firefox connects to the Internet".

4. Click the radio button labeled "No proxy". Click "OK" twice. This will remove the proxy server settings in Firefox.



Next:


Disable Internet Explorer Proxy Settings and Reset TCP/IP and Winsock

Disable Internet Explorer Proxy Settings and Reset TCP/IP

It is very important that these steps be carried out exactly as shown otherwise the fix will not work.
If you have any questions please ask before moving on.
  • Please start Notepad and using your mouse make sure you select and copy all the information below in the Code box into your new document.
  • Then save the file as "fixme.bat" to your Desktop
  • In the drop down box for Save as type: make sure you select All Files (*.*) and keep the quotes on the name as well. Then close the new file.
    @ECHO OFF
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable  /t REG_DWORD /d 0 /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v GlobalUserOffline /t REG_DWORD /d 0 /f
    netsh int ip reset resetlog.txt
    netsh winsock reset catalog
  • On Windows XP you can double-click the file to run it.
  • On Vista/Win7 you need to Right click the file and choose Run as administrator to run it. With User Account Control on it should ask permission to run it. Click Yes
  • This will flash a black DOS box very quickly and go away, this is normal.
  • Restart your computer now.
  • Launch Internet Explorer and see if you can connect to the Internet.
  • Launch MBAM and check for Updates

Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#3 nexus88

nexus88

    New Member

  • Members
  • Pip
  • 20 posts

Posted 25 July 2011 - 12:22 PM

Where exactly do i Disable Internet Explorer Proxy Settings and Reset TCP/IP? My firefox was already disable from proxxy. And i don't use IE, but do i still have to set those?

#4 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 25 July 2011 - 12:26 PM

We won't worry about IE then.

Looks like you've already have Combofix. Did you run it?
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#5 nexus88

nexus88

    New Member

  • Members
  • Pip
  • 20 posts

Posted 25 July 2011 - 12:29 PM

We won't worry about IE then.

Looks like you've already have Combofix. Did you run it?

Alright so i don't do anything with IE then, i already set up Firefox though.

And i got the .Bat saved with the code box you wanted me to copy into.

I did run combofix once, however, it did not fix the issue, and seem to disable some of my programs, which i had to system restore back before i used combofix. I just posted the log in case.

#6 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 25 July 2011 - 12:31 PM

Run tha .bat if you haven't already and let me know how it's running.
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#7 nexus88

nexus88

    New Member

  • Members
  • Pip
  • 20 posts

Posted 25 July 2011 - 12:35 PM

Run tha .bat if you haven't already and let me know how it's running.


Alright, so i just follow about disabling firefox proxxy only then? making sure i'm following this right. And i have to check this back in a hour, sorry, didn't think i get a reply so soon.

After i set the .bat, i restart the computer, then use Malwarebytes, update it, then quick scan?

#8 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 25 July 2011 - 12:36 PM

Alright, so i just follow about disabling firefox proxxy only then? making sure i'm following this right. And i have to check this back in a hour, sorry, didn't think i get a reply so soon.

After i set the .bat, i restart the computer, then use Malwarebytes, update it, then quick scan?

Yes
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#9 nexus88

nexus88

    New Member

  • Members
  • Pip
  • 20 posts

Posted 25 July 2011 - 02:12 PM

Alright back, i've try using the bat, but there was some error i got

Posted Image

I'm not sure if it worked or not, and i havent restarted at the moment, since it look like an error from it, what do i do?

#10 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 25 July 2011 - 03:05 PM

From your DDS scan it showed a proxy server port
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\chris\application data\mozilla\firefox\profiles\m6k9iapt.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 62323
FF - prefs.js: network.proxy.type - 0


Run a new DDS scan and post the results
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#11 nexus88

nexus88

    New Member

  • Members
  • Pip
  • 20 posts

Posted 25 July 2011 - 03:17 PM

Where can i get the latest DDS?

#12 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 25 July 2011 - 03:18 PM

You already ran it once.
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#13 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 25 July 2011 - 03:19 PM

http://download.blee...om/sUBs/dds.scr
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#14 nexus88

nexus88

    New Member

  • Members
  • Pip
  • 20 posts

Posted 25 July 2011 - 03:29 PM

Sorry i thought there was an updated ver of it.

Heres the dds results.
Attached File  dds.txt   13.53KB   23 downloads



.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_21
Run by Chris at 13:23:58 on 2011-07-25
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1314 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\Program Files\Steam\steam.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\DNA\btdna.exe
svchost.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Documents and Settings\Chris\Desktop\steam_chatlog_b4fix\Chat Log.exe
C:\WINDOWS\system32\msiexec.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://yahoo.sbc.com/dsl
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [CreativeTaskScheduler] "c:\program files\creative\shared files\CTSched.exe" /logon
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
TCP: Interfaces\{B58C6BB7-D7CC-4D2A-87FF-55AABEFC2B71} : DhcpNameServer = 192.168.1.254
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\chris\application data\mozilla\firefox\profiles\m6k9iapt.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 62323
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\chris\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsl00e1a7ec;MpKsl00e1a7ec;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{dd5b46f3-0a23-4834-9970-3188e5617d4e}\MpKsl00e1a7ec.sys [2011-7-25 28752]
R1 MpKsl35b44083;MpKsl35b44083;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{dd5b46f3-0a23-4834-9970-3188e5617d4e}\MpKsl35b44083.sys [2011-7-25 28752]
R1 MpKsl39706d7e;MpKsl39706d7e;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{dd5b46f3-0a23-4834-9970-3188e5617d4e}\MpKsl39706d7e.sys [2011-7-25 28752]
R1 MpKsl678d6582;MpKsl678d6582;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{dd5b46f3-0a23-4834-9970-3188e5617d4e}\MpKsl678d6582.sys [2011-7-25 28752]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2010-5-2 24652]
R4 KL1;kl1;c:\windows\system32\drivers\kl1.sys --> c:\windows\system32\drivers\kl1.sys [?]
R4 kl2;kl2;c:\windows\system32\drivers\kl2.sys --> c:\windows\system32\drivers\kl2.sys [?]
R4 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys --> c:\windows\system32\drivers\klif.sys [?]
R4 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys --> c:\windows\system32\drivers\klmouflt.sys [?]
S0 rslcy;rslcy;c:\windows\system32\drivers\uptklb.sys --> c:\windows\system32\drivers\uptklb.sys [?]
S2 Browser32;Computer Browser ;c:\windows\system32\avtapi32.exe --> c:\windows\system32\avtapi32.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Desura Install Service32;Desura Install Service ;c:\windows\system32\avtapi32.exe --> c:\windows\system32\avtapi32.exe [?]
S2 Dnscache32;DNS Client ;c:\windows\system32\avtapi32.exe --> c:\windows\system32\avtapi32.exe [?]
S2 helpsvc32;Help and Support ;c:\windows\system32\avtapi32.exe --> c:\windows\system32\avtapi32.exe [?]
S2 iPod Service32;iPod Service ;c:\windows\system32\msjetoledb4032.exe --> c:\windows\system32\msjetoledb4032.exe [?]
S2 RemoteAccess32;Routing and Remote Access ;c:\windows\system32\msexcl4032.exe --> c:\windows\system32\msexcl4032.exe [?]
S2 WmdmPmSN32;Portable Media Serial Number Service ;c:\windows\system32\shell3232.exe --> c:\windows\system32\shell3232.exe [?]
S3 3DRipDriver;3D Ripper monitoring driver;c:\program files\3dripperdx\3DRipDriver.sys [2010-5-2 6656]
S3 Desura Install Service;Desura Install Service;c:\program files\common files\desura\desura_service.exe [2011-3-28 128832]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-2-17 41272]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;c:\program files\autodesk\3ds max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [2009-3-12 86016]
.
=============== Created Last 30 ================
.
2011-07-25 20:22:30 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{dd5b46f3-0a23-4834-9970-3188e5617d4e}\MpKsl39706d7e.sys
2011-07-25 19:47:29 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{dd5b46f3-0a23-4834-9970-3188e5617d4e}\MpKsl00e1a7ec.sys
2011-07-25 19:24:51 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{dd5b46f3-0a23-4834-9970-3188e5617d4e}\MpKsl35b44083.sys
2011-07-25 19:22:29 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{dd5b46f3-0a23-4834-9970-3188e5617d4e}\MpKsl678d6582.sys
2011-07-25 04:04:13 -------- d-----w- c:\documents and settings\chris\local settings\application data\Darksiders
2011-07-25 00:22:15 6881616 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{dd5b46f3-0a23-4834-9970-3188e5617d4e}\mpengine.dll
2011-07-25 00:22:08 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-07-25 00:14:52 -------- d-----w- c:\program files\Microsoft Security Client
2011-07-24 08:05:31 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-07-24 08:05:31 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-24 05:55:10 -------- d-----w- c:\documents and settings\all users\application data\Kaspersky Lab
2011-07-23 20:46:28 -------- d-----w- c:\documents and settings\all users\application data\Tarma Installer
2011-07-23 03:38:07 -------- d-----w- C:\TDSSKiller_Quarantine
2011-07-23 01:04:48 -------- d-----w- c:\documents and settings\chris\local settings\application data\PMB Files(2)
2011-07-23 01:04:48 -------- d-----w- c:\documents and settings\chris\local settings\application data\Pando_Temp
2011-07-23 01:04:48 -------- d-----w- c:\documents and settings\chris\local settings\application data\Identities
2011-07-23 01:04:48 -------- d-----w- c:\documents and settings\chris\local settings\application data\GameSpy
2011-07-23 01:04:48 -------- d-----w- c:\documents and settings\chris\local settings\application data\Chromium
2011-07-23 01:04:48 -------- d-----w- c:\documents and settings\chris\local settings\application data\0luke0
2011-07-23 01:04:42 -------- d-----w- c:\documents and settings\chris\application data\6B1D3F937C281392BC7AF049F4AF557F
2011-07-23 00:56:39 -------- d-----w- C:\RECYCLER(2)
2011-07-22 12:32:15 98816 ----a-w- c:\windows\sed.exe
2011-07-22 12:32:15 518144 ----a-w- c:\windows\SWREG.exe
2011-07-22 12:32:15 256000 ----a-w- c:\windows\PEV.exe
2011-07-22 12:32:15 208896 ----a-w- c:\windows\MBR.exe
2011-07-16 20:21:06 -------- d-----w- c:\program files\Pando Networks(2)
2011-07-08 21:51:02 -------- d-----w- C:\UDK
2011-07-03 23:52:31 -------- d-----w- c:\program files\GamersFirst
2011-07-03 21:54:41 -------- d-----w- c:\documents and settings\all users\application data\EA Core
2011-07-03 21:54:40 -------- d-----w- c:\documents and settings\all users\application data\Electronic Arts
2011-06-30 04:12:32 -------- d-sha-r- C:\cmdcons
2011-06-29 22:14:15 -------- d-----w- c:\program files\AVAST Software
2011-06-29 22:14:15 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2011-06-29 21:23:30 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-06-29 21:23:29 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-06-29 21:23:29 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-06-29 21:23:29 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-06-29 21:23:29 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-06-29 21:23:29 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-06-29 21:23:29 1850328 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-06-29 21:23:29 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-06-26 21:53:03 -------- d-----w- c:\documents and settings\chris\application data\spiral
.
==================== Find3M ====================
.
2011-07-16 03:46:03 140024 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-07-16 03:45:55 280768 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-07-16 03:45:55 280768 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-07-16 03:21:19 266400 ----a-w- c:\windows\system32\PnkBstrB.ex0
2011-07-07 02:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 02:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-18 11:13:49 0 ---ha-w- c:\documents and settings\chris\vzipsdhujw.tmp
.
============= FINISH: 13:24:18.85 ===============

#15 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 25 July 2011 - 03:33 PM

That port might be caused by skype.


http://www.eset.eu/online-scanner
Go here to run an online scannner from ESET.
Click the green ESET Online Scanner button.
Read the End User License Agreement and check the box: YES, I accept the Terms of Use.
Click on the Start button next to it.
You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.
A new window will appear asking "Do you want to install this software?"".
Answer Yes to download and install the ActiveX controls that allows the scan to run.
Click Start.
Check Remove found threats and Scan potentially unwanted applications.
Click Scan to begin.
If offered the option to get information or buy software. Just close the window.
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic.
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#16 nexus88

nexus88

    New Member

  • Members
  • Pip
  • 20 posts

Posted 25 July 2011 - 03:42 PM

Do i need to dl "esetsmartinstaller_enu.exe" to use the scanner?

#17 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 25 July 2011 - 03:44 PM

Yes
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#18 nexus88

nexus88

    New Member

  • Members
  • Pip
  • 20 posts

Posted 25 July 2011 - 05:44 PM

The scan going to take a while, i think it's doing a full scan at the moment, is that the only scan i can do?

#19 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 25 July 2011 - 05:56 PM

If that scan doesn't remove the infection the next step would be Combofix
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#20 nexus88

nexus88

    New Member

  • Members
  • Pip
  • 20 posts

Posted 25 July 2011 - 06:25 PM

I mean is there a quick scan for ESET or do i have to do full scan?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users